Reporting

How to rest API to get results of a scheduled report?

bhjohns
Engager

Hello.  I know there have been a few posts on this topic, but I've been messing with it most of the day and the other posts weren't able to help me reach a solution.  Hoping someone can provide some guidance.

I'm looking to pull some aggregate information out of Splunk via API requests but wanted to pre-build the data set using a scheduled report in Splunk so that the API request will return faster just pulling the results of the last run vs running the search itself before returning results.

In the UI I've created a report named test.  I've tried a few different schedules and it ran twice earlier today, but at the moment I have it on the cron schedule of 0 1 * * 4 (1 on Thursdays).

Via the API I can fetch the saved report named test like this:

 

https://SPLUNKURL:8089/services/scheduled/views/test

 

but no matter what schedule I set or modify in the UI, the results always show 

 

cron_schedule	0 6 * * 1
is_scheduled	0

 

with the same results when requesting

 

https://SPLUNKURL:8089/servicesNS/APP/search/scheduled/views/_ScheduledView__test

 

and when I try

 

https://SPLUNKURL:8089/services/scheduled/views/test/history

 

I simply receive 

 

<response>
<messages>
<msg type="ERROR">Cannot find saved search with name '_ScheduledView__test'.</msg>
</messages>
</response>

 

even though I know it ran twice in the last day and I can see the results in the UI.  Similarly, I tried updating the schedule via the API with

 

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/scheduled/views/test/reschedule/' --data schedule_time=2022-03-03T04:00:01Z

 

and I get the same result

 

<response>
  <messages>
    <msg type="ERROR">Cannot find saved search with name '_ScheduledView__test'.</msg>
  </messages>
</response>

 

 Am I missing something?  I see the scheduled view and it's scheduled in the UI but I can't figure out any way to see or access the schedule or history via the API.  Hoping someone can shed some light on things as it's not making sense to me at the moment.  Also if it's helpful I checked and I believe our Splunk server version is 6.6.7

Labels (3)
0 Karma
1 Solution

bhjohns
Engager

In case anyone runs into this same issue.  Still haven't determined why the path being queried wasn't working, but we were able to find two different workarounds.  The first was to modify the endpoint we were hitting to:

 

https://SPLUNKURL:8089/servicesNS/nobody/cet/saved/searches/test/history

 

which successfully returned results and we could use the sids that were returned to query the results via

 

https://SPLUNKURL:8089/servicesNS/nobody/APP/search/jobs/SID/results

 

 

Alternatively, we found that we were able to pull the results directly with an API search query using loadjob like this:

 

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/search/jobs/export' --data search=|%20loadjob%20savedsearch="USER:APP:test"&output_mode=json

 

View solution in original post

0 Karma

bhjohns
Engager

In case anyone runs into this same issue.  Still haven't determined why the path being queried wasn't working, but we were able to find two different workarounds.  The first was to modify the endpoint we were hitting to:

 

https://SPLUNKURL:8089/servicesNS/nobody/cet/saved/searches/test/history

 

which successfully returned results and we could use the sids that were returned to query the results via

 

https://SPLUNKURL:8089/servicesNS/nobody/APP/search/jobs/SID/results

 

 

Alternatively, we found that we were able to pull the results directly with an API search query using loadjob like this:

 

curl -u user:password --request POST 'https://SPLUNKURL:8089/services/search/jobs/export' --data search=|%20loadjob%20savedsearch="USER:APP:test"&output_mode=json

 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...